--- rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch	2021/05/31 03:19:21	1.1
+++ rpms/e-smith-base/sme10/e-smith-base-5.8.0-bz11552-renewkey.patch	2021/05/31 05:50:15	1.2
@@ -1,6 +1,6 @@
 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt
 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.crt	2021-05-30 22:12:33.595000000 -0400
-+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt	2021-05-30 23:06:09.991000000 -0400
++++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.crt	2021-05-31 01:49:45.333000000 -0400
 @@ -1,5 +1,6 @@
  {
      use constant KEYLIFEINDAYS => $modSSL{KeyLifeInDays} || 365;
@@ -36,7 +36,7 @@ diff -Nur --no-dereference e-smith-base-
              if (
 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key
 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.key	2021-05-30 22:12:33.596000000 -0400
-+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key	2021-05-30 23:06:09.728000000 -0400
++++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.key	2021-05-31 01:49:45.114000000 -0400
 @@ -1,26 +1,22 @@
  {
      use Cwd;
@@ -77,7 +77,7 @@ diff -Nur --no-dereference e-smith-base-
      # as root
 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl
 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl	2021-05-30 22:12:33.789000000 -0400
-+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl	2021-05-30 23:06:08.793000000 -0400
++++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/10openssl	2021-05-31 01:49:44.221000000 -0400
 @@ -1,13 +1,8 @@
  {
      $OUT = '';
@@ -97,8 +97,11 @@ diff -Nur --no-dereference e-smith-base-
  }
 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key
 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key	2021-05-30 22:12:33.789000000 -0400
-+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key	2021-05-30 23:06:08.992000000 -0400
-@@ -3,16 +3,16 @@
++++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/20key	2021-05-31 01:49:44.474000000 -0400
+@@ -1,18 +1,19 @@
+ {
++    use esmith::ssl;
+     my $domain = $DomainName || "localdomain";
      my $hostname = $SystemName || "localhost";
      $OUT = '';
  
@@ -121,14 +124,16 @@ diff -Nur --no-dereference e-smith-base-
 +        });
 +
 +    # choose which key to put in pem
-+    my $key = ( defined $modSSL{'key'} and -f $modSSL{'key'} ) ? $modSSL{'key'}  : $dkey;
++    my $key = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) ) ? $modSSL{'key'}  : $dkey;
      open(KEY, $key) or die "Could not open key file: $!";
      my @key = <KEY>;
      chomp @key;
 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt
 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt	2021-05-30 22:12:33.789000000 -0400
-+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt	2021-05-30 23:06:09.234000000 -0400
-@@ -2,16 +2,16 @@
++++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/40crt	2021-05-31 01:49:44.674000000 -0400
+@@ -1,17 +1,18 @@
+ {
++    use esmith::ssl;
      my $domain = $DomainName || "localdomain";
      my $hostname = $SystemName || "localhost";
  
@@ -151,13 +156,13 @@ diff -Nur --no-dereference e-smith-base-
 +        });
 +
 +    # choose crt to add to pem
-+    $crt = ( defined $modSSL{'crt'} and  -f $modSSL{'crt'} )? $modSSL{'crt'} : $dcrt;
++    $crt = ( defined $modSSL{'key'} and defined $modSSL{'crt'} and related_key_cert($modSSL{'key'},$modSSL{'crt'}) )? $modSSL{'crt'} : $dcrt;
      open(CRT, $crt) or die "Could not open crt file: $!";
      my @crt = <CRT>;
      chomp @crt;
 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem
 --- e-smith-base-5.8.0.old/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem	2021-05-30 22:12:33.789000000 -0400
-+++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem	2021-05-30 23:06:09.486000000 -0400
++++ e-smith-base-5.8.0/root/etc/e-smith/templates/home/e-smith/ssl.pem/60pem	2021-05-31 01:49:44.893000000 -0400
 @@ -1,4 +1,6 @@
  {
 +    my $domain = $DomainName || "localdomain";
@@ -167,8 +172,8 @@ diff -Nur --no-dereference e-smith-base-
      {
 diff -Nur --no-dereference e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm
 --- e-smith-base-5.8.0.old/root/usr/share/perl5/vendor_perl/esmith/ssl.pm	1969-12-31 19:00:00.000000000 -0500
-+++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm	2021-05-30 23:06:10.229000000 -0400
-@@ -0,0 +1,110 @@
++++ e-smith-base-5.8.0/root/usr/share/perl5/vendor_perl/esmith/ssl.pm	2021-05-31 01:49:45.570000000 -0400
+@@ -0,0 +1,154 @@
 +package esmith::ssl;
 +
 +use strict;
@@ -182,6 +187,7 @@ diff -Nur --no-dereference e-smith-base-
 +my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
 +our $SystemName = $configdb->get('SystemName')->value;
 +our $DomainName = $configdb->get('DomainName')->value;
++our $FQDN = "$SystemName.$DomainName";
 +
 +# test key size
 +# test key exists
@@ -216,9 +222,8 @@ diff -Nur --no-dereference e-smith-base-
 +    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
 +    my %modSSL = $configdb->as_hash('modSSL');
 +    my $KeySize = $modSSL{KeySize} ||'4096';
-+    my $FQDN = "$SystemName.$DomainName";
 +    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
-+    if ( -f $key )
++    if ( -f $key ) 
 +    {
 +    	#print "$key exists\n";
 +        # check key size openssl rsa -in /home/e-smith/ssl.key/$host.$domain.key -text -noout | sed -rn "s/Private-Key: \((.*) bit\)/\1/p"
@@ -251,9 +256,8 @@ diff -Nur --no-dereference e-smith-base-
 +    my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
 +    my %modSSL = $configdb->as_hash('modSSL');
 +    my $KeySize = $modSSL{KeySize} ||'4096';
-+    my $FQDN = "$SystemName.$DomainName";
 +    my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
-+    if ( -f $crt )
++    if ( -f $crt ) 
 +    {
 +	#openssl x509 -text -noout -in /home/e-smith/ssl.crt/$host.$domain.crt| sed -rn "s/Public-Key: \((.*) bit\)/\1/p"
 +	my $signatureKeySize = `openssl x509 -text -noout -in $crt  | grep "Public-Key" | head -1`;
@@ -271,6 +275,51 @@ diff -Nur --no-dereference e-smith-base-
 +    return 0;
 +}
 +
++sub cert_is_cert {
++    my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
++    if ( -f $crt ) 
++    {
++        open my $oldout, ">&STDERR";  # "dup" the stdout filehandle
++        close STDERR;
++	my $exit_code=system("openssl","x509", "-noout", "-in", "$crt");	
++        open STDERR, '>&', $oldout;  # restore the dup'ed filehandle to STDOUT
++        if ($exit_code==0){
++		#print "certificate is a certificate\n";
++                return 1;
++        }
++    }
++    return 0;
++}
++
++sub key_is_key {
++    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
++    if ( -f $key )
++    {
++	open my $oldout, ">&STDERR";  # "dup" the stdout filehandle
++	close STDERR;
++        my $exit_code=system("openssl","rsa", "-noout", "-in", "$key");
++	open STDERR, '>&', $oldout;  # restore the dup'ed filehandle to STDOUT
++        if ($exit_code==0){
++                #print "key is a key\n";
++                return 1;
++        }
++    }
++    return 0;
++}
++
++sub related_key_cert {
++    my $key = shift || "/home/e-smith/ssl.key/$FQDN.key";
++    my $crt = shift || "/home/e-smith/ssl.crt/$FQDN.crt";
++    if ( key_is_key($key) and cert_is_cert($crt) )
++    { 
++	# check the cert and the key are related, if key has been changed, then we need to change the cert
++	my $crt_md5 = `openssl x509 -noout -modulus -in $crt | openssl md5`;
++	my $key_md5 = `openssl rsa -noout -modulus -in $key | openssl md5`;
++	#print "$key_md5 eq $crt_md5\n";
++	return 1 if $key_md5 eq $crt_md5;
++    }
++    return 0;
++}
 +##TODO migrate those actions from 
 +# check cert is related to key
 +# => /etc/e-smith/templates/home/e-smith/ssl.crt